SSLError: ssl3_get_record - wrong version number
Closed this issue · 10 comments
Using with Python 3.6.1
When trying to execute the code, get this error:
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='domain.com', port=8065): Max retries exceeded with url: /api/v4/users/login (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')],)",),))
Seems like this is related to:
https://stackoverflow.com/a/9963668/3090556
Hey, thank you for reporting.
Not knowing anything about your setup - is that correct that you have SSLv3 on the server you are trying to connect to?
AFAIK this is not secure anymore. So maybe you should consider changing the server you are trying to connect to, not to use sslv3 anymore.
I guess I will have a look at it, but I somehow don't like supporting insecure stuff (users choice OFC.. but meh :-D )
Since I don't really consider myself to be an expert regarding SSL/the python SSL library in general I will have to read a bit. Maybe you even have to enable SSLv3 in your system to get it to work. Not sure if just telling python to use SSLv3 works if the openssl library (or whatever python uses) does not support it.
@shivamb Probably you have old version of openssl installed, so python interpreter cannot use actual version of TLS to make a handshake with mattermost server that doesn't support old versions of TLS...
Closing because I got no feedback for over a month and I don't really consider it a good idea. As far as I can see from the description it is more a fault with the server running mattermost.
Same here with Python 3.7
@supermihi
Same responses as before: Not sure if this is a good idea, because:
Hey, thank you for reporting.
Not knowing anything about your setup - is that correct that you have SSLv3 on the server you are trying to connect to?AFAIK this is not secure anymore. So maybe you should consider changing the server you are trying to connect to, not to use sslv3 anymore.
I guess I will have a look at it, but I somehow don't like supporting insecure stuff (users choice OFC.. but meh :-D )
Since I don't really consider myself to be an expert regarding SSL/the python SSL library in general I will have to read a bit. Maybe you even have to enable SSLv3 in your system to get it to work. Not sure if just telling python to use SSLv3 works if the openssl library (or whatever python uses) does not support it.
I would think it would be better if you check your server setup.
Unfortunatelly, I'm not in the position to check the server configuration. What irritates me is that my fallback solution - using the requests package and accessing the REST API directly - works without any errors. I did not find out where exactly your package enforces somewhat higher security restrictions than the default behavior?
That is strange! So, the error message is really exactly the same (excluding the domain and port ofc), containing Error([('SSL routines', 'ssl3_get_record', 'wrong version number')?
Regarding where I set up the ssl stuff:
https://github.com/Vaelor/python-mattermost-driver/blob/master/src/mattermostdriver/websocket.py#L29
IMHO I don't do anything fancy there (but, as mentioned before my knowledge in this area is pretty rough :-D), but I can't guarantee that I in fact did some kind of mistake there that in some cases could prove problematic. Not sure what the default requests behaviour regarding sslv3 is (if that really is your problem)
Oh and, if you want to remotely check what kind of ssl support you server has, try nmap, has helped me a lot of times :)
$ nmap --script ssl-enum-ciphers -p 443 www.example.com
https://maxchadwick.xyz/blog/checking-ssl-tls-version-support-of-remote-host-from-command-line#nmap-ssl-enum-ciphers
https://testssl.sh Is probably better/easier and more thorough
Server seems ok:
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 not offered
NPN/SPDY h2, http/1.1 (advertised)
ALPN/HTTP2 h2, http/1.1 (offered)
I'll check the exact error message I get with your driver later.